integrity="sha...-..." for unpkg URL would be nice

[guettli]

Hi,

I don't know if this does a lot of trouble in your release process, but wouldn't it be more secure to add a hash value to the URL you show in the docs?

For example bootstrap uses this:

<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0-beta1/dist/js/bootstrap.bundle.min.js" 
    integrity="sha384-ygbV9kiqUc6oa4msXn9868pTtWMgiQaeYH7/t7LECLbyPA2x65Kgf80OJFdroafW" 
    crossorigin="anonymous"></script>

I don't know if crossorigin="anonymous" makes sense.

Background: if the unpkg server got hacked, they could inject evil code into my application (but I guess you know this).

[1cg]

good idea

Is there an easy way to get the sha code?

[guettli]

There is this online service:

https://www.srihash.org/

<script src="https://unpkg.com/htmx.org@1.0.2" integrity="sha384-uG2fggOnt72f9yU5g6r04wPKVnlrpuTRachw1fB6euaHlWgObEcF9zSrDBuBMZ9H" crossorigin="anonymous"></script>

Of course, this is some work to update it for every release, maybe there is a way to automate this.

[bencroker]

Great suggestion @guettli!! I think using https://www.srihash.org/ when each new version is released is reasonable.

Using crossorigin="anonymous" is required, as it tells the browser to fetch the script without sending user-credentials.

Subresource Integrity is not supported by IE11, but my guess is that IE will simply ignore it, which is fine.

Associated docs:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin

[bencroker]

Added in 2499401.